Add missing folder features to project factory and align logging across folder/org modules (#3779)

2026-03-04 10:28:48 +01:00
parent e45e8089ff
commit 0be09646b0
24 changed files with 651 additions and 149 deletions
--- a/modules/project-factory/README.md
+++ b/modules/project-factory/README.md
--- a/modules/project-factory/folders.tf
+++ b/modules/project-factory/folders.tf
@@ -54,6 +54,8 @@ module "folder-1" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 1
  }
+  folder_create       = lookup(each.value, "id", null) == null
+  id                  = lookup(each.value, "id", null)
  deletion_protection = lookup(each.value, "deletion_protection", false)
  parent              = coalesce(each.value.parent, "$folder_ids:default")
  name                = each.value.name
@@ -65,6 +67,7 @@ module "folder-1" {
  pam_entitlements        = lookup(each.value, "pam_entitlements", {})
  tag_bindings            = lookup(each.value, "tag_bindings", {})
  assured_workload_config = lookup(each.value, "assured_workload_config", null)
+  logging_settings        = lookup(each.value, "logging", null)
  context                 = local.ctx
 }

@@ -73,13 +76,14 @@ module "folder-1-iam" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 1
  }
-  id          = module.folder-1[each.key].id
-  asset_feeds = lookup(each.value, "asset_feeds", {})
+  folder_create = false
+  id            = module.folder-1[each.key].id
+  asset_feeds   = lookup(each.value, "asset_feeds", {})
+  asset_search  = lookup(each.value, "asset_search", {})
  factories_config = {
    # we do anything that can refer to IAM and custom roles in this call
    pam_entitlements = try(each.value.factories_config.pam_entitlements, null)
  }
-  folder_create                 = false
  autokey_config                = lookup(each.value, "autokey_config", null)
  iam                           = lookup(each.value, "iam", {})
  iam_bindings                  = lookup(each.value, "iam_bindings", {})
@@ -88,8 +92,10 @@ module "folder-1-iam" {
  iam_by_principals_additive    = lookup(each.value, "iam_by_principals_additive", {})
  iam_by_principals_conditional = lookup(each.value, "iam_by_principals_conditional", {})
  logging_data_access           = lookup(each.value, "data_access_logs", {})
+  logging_sinks                 = try(each.value.logging.sinks, {})
  context = merge(local.ctx, {
    iam_principals  = local.ctx_iam_principals
+    kms_keys        = merge(local.ctx.kms_keys, local.kms_keys)
    project_ids     = local.ctx_project_ids
    project_numbers = local.ctx_project_numbers
  })
@@ -100,6 +106,8 @@ module "folder-2" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 2
  }
+  folder_create       = lookup(each.value, "id", null) == null
+  id                  = lookup(each.value, "id", null)
  deletion_protection = lookup(each.value, "deletion_protection", false)
  parent = coalesce(
    each.value.parent, "$folder_ids:${each.value.parent_key}"
@@ -113,6 +121,7 @@ module "folder-2" {
  pam_entitlements        = lookup(each.value, "pam_entitlements", {})
  tag_bindings            = lookup(each.value, "tag_bindings", {})
  assured_workload_config = lookup(each.value, "assured_workload_config", null)
+  logging_settings        = lookup(each.value, "logging", null)
  context = merge(local.ctx, {
    folder_ids = merge(local.ctx.folder_ids, {
      for k, v in module.folder-1 : k => v.id
@@ -126,13 +135,14 @@ module "folder-2-iam" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 2
  }
-  asset_feeds = lookup(each.value, "asset_feeds", {})
-  id          = module.folder-2[each.key].id
+  folder_create = false
+  id            = module.folder-2[each.key].id
+  asset_feeds   = lookup(each.value, "asset_feeds", {})
+  asset_search  = lookup(each.value, "asset_search", {})
  factories_config = {
    # we do anything that can refer to IAM and custom roles in this call
    pam_entitlements = try(each.value.factories_config.pam_entitlements, null)
  }
-  folder_create                 = false
  autokey_config                = lookup(each.value, "autokey_config", null)
  iam                           = lookup(each.value, "iam", {})
  iam_bindings                  = lookup(each.value, "iam_bindings", {})
@@ -141,11 +151,13 @@ module "folder-2-iam" {
  iam_by_principals_additive    = lookup(each.value, "iam_by_principals_additive", {})
  iam_by_principals_conditional = lookup(each.value, "iam_by_principals_conditional", {})
  logging_data_access           = lookup(each.value, "data_access_logs", {})
+  logging_sinks                 = try(each.value.logging.sinks, {})
  context = merge(local.ctx, {
    folder_ids = merge(local.ctx.folder_ids, {
      for k, v in module.folder-1 : k => v.id
    })
    iam_principals  = local.ctx_iam_principals
+    kms_keys        = merge(local.ctx.kms_keys, local.kms_keys)
    project_ids     = local.ctx_project_ids
    project_numbers = local.ctx_project_numbers
  })
@@ -156,6 +168,8 @@ module "folder-3" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 3
  }
+  folder_create       = lookup(each.value, "id", null) == null
+  id                  = lookup(each.value, "id", null)
  deletion_protection = lookup(each.value, "deletion_protection", false)
  parent = coalesce(
    each.value.parent, "$folder_ids:${each.value.parent_key}"
@@ -169,6 +183,7 @@ module "folder-3" {
  pam_entitlements        = lookup(each.value, "pam_entitlements", {})
  tag_bindings            = lookup(each.value, "tag_bindings", {})
  assured_workload_config = lookup(each.value, "assured_workload_config", null)
+  logging_settings        = lookup(each.value, "logging", null)
  context = merge(local.ctx, {
    folder_ids = merge(local.ctx.folder_ids, {
      for k, v in module.folder-2 : k => v.id
@@ -182,13 +197,14 @@ module "folder-3-iam" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 3
  }
-  id          = module.folder-3[each.key].id
-  asset_feeds = lookup(each.value, "asset_feeds", {})
+  folder_create = false
+  id            = module.folder-3[each.key].id
+  asset_feeds   = lookup(each.value, "asset_feeds", {})
+  asset_search  = lookup(each.value, "asset_search", {})
  factories_config = {
    # we do anything that can refer to IAM and custom roles in this call
    pam_entitlements = try(each.value.factories_config.pam_entitlements, null)
  }
-  folder_create                 = false
  autokey_config                = lookup(each.value, "autokey_config", null)
  iam                           = lookup(each.value, "iam", {})
  iam_bindings                  = lookup(each.value, "iam_bindings", {})
@@ -197,11 +213,13 @@ module "folder-3-iam" {
  iam_by_principals_additive    = lookup(each.value, "iam_by_principals_additive", {})
  iam_by_principals_conditional = lookup(each.value, "iam_by_principals_conditional", {})
  logging_data_access           = lookup(each.value, "data_access_logs", {})
+  logging_sinks                 = try(each.value.logging.sinks, {})
  context = merge(local.ctx, {
    folder_ids = merge(local.ctx.folder_ids, {
      for k, v in module.folder-2 : k => v.id
    })
    iam_principals  = local.ctx_iam_principals
+    kms_keys        = merge(local.ctx.kms_keys, local.kms_keys)
    project_ids     = local.ctx_project_ids
    project_numbers = local.ctx_project_numbers
  })
@@ -212,6 +230,8 @@ module "folder-4" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 4
  }
+  folder_create       = lookup(each.value, "id", null) == null
+  id                  = lookup(each.value, "id", null)
  deletion_protection = lookup(each.value, "deletion_protection", false)
  parent = coalesce(
    each.value.parent, "$folder_ids:${each.value.parent_key}"
@@ -225,6 +245,7 @@ module "folder-4" {
  pam_entitlements        = lookup(each.value, "pam_entitlements", {})
  tag_bindings            = lookup(each.value, "tag_bindings", {})
  assured_workload_config = lookup(each.value, "assured_workload_config", null)
+  logging_settings        = lookup(each.value, "logging", null)
  context = merge(local.ctx, {
    folder_ids = merge(local.ctx.folder_ids, {
      for k, v in module.folder-3 : k => v.id
@@ -238,13 +259,14 @@ module "folder-4-iam" {
  for_each = {
    for k, v in local.folders_input : k => v if v.level == 4
  }
-  id          = module.folder-4[each.key].id
-  asset_feeds = lookup(each.value, "asset_feeds", {})
+  folder_create = false
+  id            = module.folder-4[each.key].id
+  asset_feeds   = lookup(each.value, "asset_feeds", {})
+  asset_search  = lookup(each.value, "asset_search", {})
  factories_config = {
    # we do anything that can refer to IAM and custom roles in this call
    pam_entitlements = try(each.value.factories_config.pam_entitlements, null)
  }
-  folder_create                 = false
  autokey_config                = lookup(each.value, "autokey_config", null)
  iam                           = lookup(each.value, "iam", {})
  iam_bindings                  = lookup(each.value, "iam_bindings", {})
@@ -253,11 +275,13 @@ module "folder-4-iam" {
  iam_by_principals_additive    = lookup(each.value, "iam_by_principals_additive", {})
  iam_by_principals_conditional = lookup(each.value, "iam_by_principals_conditional", {})
  logging_data_access           = lookup(each.value, "data_access_logs", {})
+  logging_sinks                 = try(each.value.logging.sinks, {})
  context = merge(local.ctx, {
    folder_ids = merge(local.ctx.folder_ids, {
      for k, v in module.folder-3 : k => v.id
    })
    iam_principals  = local.ctx_iam_principals
+    kms_keys        = merge(local.ctx.kms_keys, local.kms_keys)
    project_ids     = local.ctx_project_ids
    project_numbers = local.ctx_project_numbers
  })
--- a/modules/project-factory/schemas/folder.schema.json
+++ b/modules/project-factory/schemas/folder.schema.json
@@ -4,6 +4,30 @@
  "type": "object",
  "additionalProperties": false,
  "properties": {
+    "asset_search": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9-]+$": {
+          "type": "object",
+          "additionalProperties": false,
+          "required": [
+            "asset_types"
+          ],
+          "properties": {
+            "asset_types": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "query": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
    "asset_feeds": {
      "type": "object",
      "additionalProperties": false,
@@ -236,6 +260,73 @@
    "deletion_protection": {
      "type": "boolean"
    },
+    "id": {
+      "type": "string",
+      "pattern": "^(folders/[0-9]+|\\$folder_ids:[a-z0-9_-]+)$"
+    },
+    "firewall_policy": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "name",
+        "policy"
+      ],
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "policy": {
+          "type": "string"
+        }
+      }
+    },
+    "logging": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "kms_key_name": {
+          "type": "string"
+        },
+        "storage_location": {
+          "type": "string"
+        },
+        "sinks": {
+          "type": "object",
+          "additionalProperties": false,
+          "patternProperties": {
+            "^[a-z][a-z0-9-_]+$": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "description": {
+                  "type": "string"
+                },
+                "destination": {
+                  "type": "string"
+                },
+                "exclusions": {
+                  "type": "object"
+                },
+                "filter": {
+                  "type": "string"
+                },
+                "type": {
+                  "type": "string",
+                  "default": "logging",
+                  "enum": [
+                    "bigquery",
+                    "logging",
+                    "project",
+                    "pubsub",
+                    "storage"
+                  ]
+                }
+              }
+            }
+          }
+        }
+      }
+    },
    "factories_config": {
      "type": "object",
      "additionalProperties": false,
--- a/modules/project-factory/schemas/folder.schema.md
+++ b/modules/project-factory/schemas/folder.schema.md
@@ -6,6 +6,13 @@

 *additional properties: false*

+- **asset_search**: *object*
+  <br>*additional properties: false*
+  - **`^[a-z0-9-]+$`**: *object*
+    <br>*additional properties: false*
+    - ⁺**asset_types**: *array*
+      - items: *string*
+    - **query**: *string*
 - **asset_feeds**: *object*
  <br>*additional properties: false*
  - **`^[a-z0-9-]+$`**: *object*
@@ -75,6 +82,24 @@
      - **exempted_members**: *array*
        - items: *string*
 - **deletion_protection**: *boolean*
+- **firewall_policy**: *object*
+  <br>*additional properties: false*
+  - ⁺**name**: *string*
+  - ⁺**policy**: *string*
+- **logging**: *object*
+  <br>*additional properties: false*
+  - **kms_key_name**: *string*
+  - **storage_location**: *string*
+  - **sinks**: *object*
+    <br>*additional properties: false*
+    - **`^[a-z][a-z0-9-_]+$`**: *object*
+      <br>*additional properties: false*
+      - **description**: *string*
+      - **destination**: *string*
+      - **exclusions**: *object*
+      - **filter**: *string*
+      - **type**: *string*
+        <br>*default: logging*, *enum: ['bigquery', 'logging', 'project', 'pubsub', 'storage']*
 - **factories_config**: *object*
  <br>*additional properties: false*
  - **org_policies**: *string*
--- a/modules/project-factory/variables-folders.tf
+++ b/modules/project-factory/variables-folders.tf
@@ -17,6 +17,10 @@
 variable "folders" {
  description = "Folders data merged with factory data."
  type = map(object({
+    asset_search = optional(map(object({
+      asset_types = list(string)
+      query       = optional(string)
+    })), {})
    asset_feeds = optional(map(object({
      billing_project = string
      content_type    = optional(string)
@@ -49,10 +53,31 @@ variable "folders" {
      }))
      violation_notifications_enabled = optional(bool)
    }), null)
+    contacts            = optional(map(list(string)), {})
+    id                  = optional(string)
    name                = optional(string)
    parent              = optional(string)
    deletion_protection = optional(bool)
-    iam                 = optional(map(list(string)), {})
+    firewall_policy = optional(object({
+      name   = string
+      policy = string
+    }))
+    logging = optional(object({
+      kms_key_name     = optional(string)
+      storage_location = optional(string)
+      sinks = optional(map(object({
+        description        = optional(string)
+        destination        = string
+        disabled           = optional(bool, false)
+        exclusions         = optional(map(string), {})
+        filter             = optional(string)
+        iam                = optional(bool, true)
+        include_children   = optional(bool, true)
+        intercept_children = optional(bool, false)
+        type               = optional(string, "logging")
+      })), {})
+    }))
+    iam = optional(map(list(string)), {})
    iam_bindings = optional(map(object({
      members = list(string)
      role    = string